To All,
Here is the latest information regarding Linux and UEFI, as of October 18th.
=-=-=-=-=
Linux Foundation announces that Linux will continue to operate under Secure
Boot-enabled systems.
As reported previously all Windows 8 systems will ship with Secure Boot
enabled. To recap,
this UEFI specification associates the firmware with a signing key that
prohibits users from installing a new operating system. The majority of
Linux desktop systems are installed over an OEM version of Windows, so
the potential for problems is significant.
This week, however, the
Linux Foundation and its Technical Advisory Board announced their plan
to enable Linux (and other open source distributions) to continue
operating under Secure Boot enabled systems. In the announcement, James
Bottomley wrote, “In a nutshell, the Linux Foundation will obtain a
Microsoft Key and sign a small pre-bootloader which will, in turn, chain
load (without any form of signature check) a predesignated boot loader
which will, in turn, boot Linux (or any other operating system).”
According
to the announcement, the pre-bootloader will employ a “present user”
test to ensure that it cannot be used as a vector for any type of UEFI
malware to target secure systems. “The pre-bootloader can be used either
to boot a CD/DVD installer or LiveCD distribution or even boot an
installed operating system in secure mode for any distribution that
chooses to use it. The process of obtaining a Microsoft signature will
take a while, but once it is complete, the pre-bootloader will be placed
on the Linux Foundation website for anyone to download and make use
of,” Bottomley said.
Bottomley noted that this pre-bootloader
“provides no security enhancements over booting linux with UEFI secure
boot turned off,” and the Linux Foundation welcomes efforts by various
distros to tackle the problem and improve platform security. Thus, the
pre-bootloader can be seen as a stop-gap measure giving distributions
time to come up with plans that take advantage of UEFI secure boot.
Right now, EFI firmware is compatible with Windows supporting the
GUID Partition Table (GPT), OS X/Intel, and Linux 2.6 and beyond
machines. EFI is seen as a superior hardware/software interface to BIOS
because it is platform-agnostic and runs in 32- or 64-bit mode and
because GPT machines can handle boot partitions of up to 9.4 zettabytes
(9.4x1021).
However, the benefits of EFI, and the later
UEFI specification, are not particularly impressive to Linus Torvalds.
As far back as 2006, Torvalds stated that many of the the EFI features
were simply duplicating what BIOS had already done.
Torvalds wrote
at the time. “… the problem with EFI is that it actually superficially
looks much better than the BIOS, but in practice it ends up being one of
those things where it has few real advantages, and often just a lot of
extra complexity because of the ‘new and improved’ interfaces that were
largely defined by a committee.”
Despite this disgruntlement, EFI
and UEFI are supported by any kernel past 2.6, so implementing Linux on
such devices is not a problem.
The Linux Foundation is committed to giving users freedom of choice on
their platforms. Conforming to this stance, we have already published a
variety of tools to permit users to take control of their secure boot
platforms by replacing the Platform Key and managing (or replacing) the
installed Key Exchange Keys, here is a link to a Blog post about this :
http://blog.hansenpartnership.com/easier-way-to-take-control-of-uefi-secure-boot-platform/
The Foundation recognizes that not everyone is willing (or able) to do
this so it was also necessary to find a solution that would enable
people to continue to try out Linux and other Open Source Operating
Systems in spite of the barriers UEFI Secure boot would place in their
way and without requiring that they understand how to take control of
their platforms. Therefore, we also formulated a technical plan, which
is implemented in this pre-bootloader, to allow distributions to
continue functioning in a secure boot environment.
The Linux Foundation welcomes efforts by some of the major distributions (e.g.
Fedora, SUSE and Ubuntu)
to tackle the problem of taking full advantage of UEFI secure boot to
enhance platform security and sees the pre-bootloader it is releasing as
a stop-gap measure that will give all distributions time to come up
with plans that take advantage of UEFI secure boot. Here are links to each of
these distributions current solutions :
Fedora :
http://mjg59.dreamwidth.org/12368.html
SUSE :
https://www.suse.com/blogs/uefi-secure-boot-details/
Ubuntu :
https://lists.ubuntu.com/archives/ubuntu-devel/2012-June/035445.html
If you are interested in working with source code then here is the source code
for the Linux Foundation pre-bootloader that is available as Loader.c :
http://git.kernel.org/?p=linux/kernel/git/jejb/efitools.git;a=tree
=-=-=-=-=-=-=-
I
hope that you find this information complete enough and also helpful to
your
efforts.
Regards,
Harvey Rothenberg
Systems Integrator/Security Specialist
"Experience is a hard teacher because she gives the test first, the lesson
afterwards." -- Unknown
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
